On May 25, the European Union (EU) General Data Protection Regulation (GDPR) enforcement date passed, leaving many US businesses breathless from frantic sprints to complete compliance measures in time. The GDPR, intended to harmonize data privacy laws in the EU, mandates strict requirements on anyone “collecting” or “processing” “personal data” on “data subjects” residing in the EU. Replacing the 1995 directive that was unclear as to its extraterritorial reach, the GDPR proclaims dominion over the aforementioned collecting and processing activities regardless of whether conducted or directed from inside or outside the EU. Among its key provisions, the EU generally requires informed, affirmative and specific consent by data subjects to collection and processing of their personal data, consistent with an underlying push for greater transparency in the use of personal data. Under the GDPR, data subjects have a “fundamental right” not only to know when their personal data is used and for what purpose, but to have such data erased (the so-called “right to be forgotten”), modified or transferred upon request. Furthermore, the GDPR requires that data be protected by systems designed with privacy as a key priority, with information security controls for data protection and retention policies minimizing the retention of personal data to what is reasonably necessary.
These globally applicable obligations have received so much attention at least in part because they come with such sharp teeth--penalties for non-compliance of up to 4% of global turnover or 20 million euros, whichever is greater. Notwithstanding the two-year run-up to the enforcement date, the question remains: how prepared are companies, particularly US companies, for GDPR compliance? According to a recent article in Business Insider many US companies are not well prepared. (Price, 2018)[i]. Many American companies, particularly smaller ones, find compliance with the GDPR burdensome, requiring the assistance of professionals with specialized expertise and potentially costly changes associated with information technology.
The wider context for the GDPR’s entry into force includes a backdrop of increasing worldwide concern for personal data privacy in the wake of high profile data breaches like Uber and Equifax as well as the Facebook-Cambridge Analytica data misuse scandal. This confluence of disturbing data privacy news raises the question of whether a US legislative equivalent to GDPR is near or at least approaching. Many predict that a higher level of data protection in the US is inevitable, but the form it would take is unclear. Following the Facebook-Cambridge Analytica scandal, Mark Zuckerberg’s questioning by Congress suggested that US lawmakers are at least considering greater regulation. But will this take the form of sweeping legislation applying to all sectors? Or will it only address social media for the time being? Will it be so broad as to chill the benefits of big data?
Amidst all of the teeth gnashing over the sanctity of personal data--a category of sweeping proportions under the GDPR that includes reams of data not traditionally considered “private" in the US—one could easily lose sight of the fact that big data has great potential to improve the quality of life. For example, the potential of computers to analyze vast quantities of health-related data across populations to find connections and common denominators could bring better treatments and prevention of illnesses. This type of benefit is particularly noteworthy when big data is combined with other technologies now under more intense scrutiny for privacy impacts, such as artificial intelligence. The challenge for legislators and other policy-makers is to address legitimate concerns about data privacy while still encouraging beneficial uses of data.
To some extent, the GDPR includes mechanisms for striking such a balance. For example, the GDPR explicitly states specific conditions where processing of personal data is lawful separate and apart from data subject consent. These conditions are where such processing is necessary for: performance with a contract, compliance with legal obligations, protection of “vital interests” of natural persons, performance of tasks “in the public interest” or in the “exercise of official authority” and finally and most controversially in terms of appropriate scope of application, the “legitimate interests” provision. No one yet knows how consent requirement exceptions like the “legitimate interests” category will be interpreted upon review in litigation, but the presence of such provisions in the GDPR leaves no doubt that the EU recognized that regulating data privacy in an information economy must allow for some nuance.
The GDPR also wisely foregoes prescriptive data protection requirements tied to specific technologies, instead taking a tack similar to certain US regulators on cybersecurity. In this practical and flexible approach, data security obligations are tied to risk and proportionality, leaving room for reasonable differences of opinion as to what specific information security controls are appropriate under any given circumstances. While techniques like encryption and “pseudonymization” are offered as examples or suggestions, they are not cast as absolute requirements. Privacy protection technology and methodology is left to develop without artificial regulatory constraints; business enterprises with more than enough on their plates in trying to address cybersecurity risk can take solace in a partial reprieve from forcing square pegs into round holes.
Moreover, for all of the inconvenience and burden rightly or wrongly decried as unfair by many non-EU businesses, the root cause of the difficulties many such entities have experienced in pursuing GDPR compliance (and other legal and risk management challenges in the inextricably intertwined areas of data privacy and security) is the neglect of fundamental digital hygiene. We cannot blame the EU data privacy commissioners for the fact that most businesses still do not have basic control over their systems and data, i.e., information assets. How many organizations keep current information on what types of data they store, in which systems, for how long and with what protections? Without such self-knowledge, there is insufficient visibility and thus no reasonably informed foundation for building security and privacy programs. In other words, a good part of the asserted GDPR compliance “burden” is not in buying or building new controls, but in identifying and documenting what already exists.
Many professional advisors have observed that this taking stock of current state was the greatest contributing factor enlarging the dust cloud stirred up by the flurry of desperate activity leading up to the GDPR “apocalypse” on May 25th. The GDPR requires recordkeeping identifying, among other things, what types of data are stored and in what systems. Is this an unreasonable requirement? Any enterprise that answers “yes” has bigger problems than GDPR. While compiling this information can be a lot of work, no one can argue that it isn’t a pre-requisite to a reasonable approach to protecting any type of valued information, whether personal or business.
After some time passes and the pain heals from what for many businesses was a last-minute scramble for GDPR compliance, many of these same businesses will come to appreciate how the effort made them stronger from a compliance, security and even operational performance stance. Thanks to the threat of GDPR enforcement, they will have gained a new level of knowledge and control over their information assets. If they can resolve to make this kind of information technology knowledge and control a new habit, they will find that everything from responding to a regulator’s subpoena to forecasting their I.T. budgets will be easier and more accurate. Instead of seeing GDPR as an expletive “four-letter word” perhaps they will say “Thank you GDPR!”
[i] Rob Price, May 23, 2018 at http://www.businessinsider.com/what-is-gdpr-regulation-explained-2018-4.